Using Static Analysis For Software Defect Detection

I’ll talk about some of my experience in using and expanding static analysis tools for defect detection. The FindBugs tool developed at the Univ. of Maryland is now being widely used, including inside Google. I’ll give an overview of FindBugs, show some of the kinds of errors we routinely find in production code, discuss the methodology we use for enhancing and expanding FindBugs and some of the recent additions to it, discuss ways of incorporating FindBugs into your development process (such as being able to get a report of all the warnings introduced since the last release of your software), and talk about the future of static analysis, including things such as a new Java JSR to provide standard annotations for things such as @NonNull and @Tainted.